Bug 1715237 (CVE-2019-10149) - CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
Summary: CVE-2019-10149 exim: Remote command execution in deliver_message() function i...
Status: CLOSED NOTABUG
Alias: CVE-2019-10149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20190604:0430,...
Keywords: Security
Depends On: 1716935
Blocks: 1715238
TreeView+ depends on / blocked
 
Reported: 2019-05-29 21:16 UTC by Pedro Sampaio
Modified: 2019-06-13 13:12 UTC (History)
12 users (show)

(edit)
A flaw was found in the way exim validated recipient addresses. A remote attacker could use this flaw to execute arbitrary commands on the exim server with the permissions of the user running the application.
Clone Of:
(edit)
Last Closed: 2019-05-30 03:56:19 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-05-29 21:16:06 UTC
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

References:

https://www.openwall.com/lists/oss-security/2019/06/04/1
https://exim.org/static/doc/security/CVE-2019-10149.txt

Comment 1 Pedro Sampaio 2019-05-30 00:12:51 UTC
Acknowledgments:

Name: Qualys Research Labs

Comment 2 Huzaifa S. Sidhpurwala 2019-05-30 03:56:19 UTC
As per the reporter:

"Exim is vulnerable by default since version 4.87 (released on April 6,2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019)"

Therefore lower versions of exim (Red Hat Enterprise Linux ships exim-4.63) are not affected by this flaw.

Comment 4 Huzaifa S. Sidhpurwala 2019-05-30 04:03:48 UTC
Statement:

Exim is vulnerable since version 4.87, therefore the version of exim package (exim-4.63) shipped with Red Hat Enterprise Linux 5 is not affected by this flaw.

Comment 5 Dhananjay Arunesh 2019-06-04 12:26:33 UTC
Created exim tracking bugs for this issue:

Affects: epel-all [bug 1716935]

Comment 12 Huzaifa S. Sidhpurwala 2019-06-06 10:50:41 UTC
External References:

https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Comment 14 Tomas Hoger 2019-06-10 10:06:39 UTC
The above fix was included in mainline / 4.92 via the following commit from Sep 2018:

https://git.exim.org/exim.git/commitdiff/7ea1237c783e380d7bdb86c90b13d8203c7ecf26


Note You need to log in before you can comment on or make changes to this bug.